e323c45cb0
- Security: no IAM in service repos, no custom auth, no direct external calls - Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config - DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions - Cost: resource tagging, no unbounded allocation, no per-tenant infra - Updated checker and demo to match - These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss
29 lines
1.3 KiB
Markdown
29 lines
1.3 KiB
Markdown
# Cost & Tagging Requirements
|
|
|
|
Phase: deployment
|
|
Enforcement: informational
|
|
|
|
## COST-001: Standard Resource Tagging
|
|
|
|
All cloud resources MUST include the organization's standard tag set for cost attribution.
|
|
|
|
**Rule:** Every resource that supports tagging must include: `team`, `service`, `environment`, `cost-center`. These are used for chargeback and cost allocation dashboards.
|
|
|
|
**Test:** Parse IaC files, verify tag block contains all four required keys.
|
|
|
|
## COST-002: No Unbounded Resource Allocation
|
|
|
|
Service configurations MUST define resource ceilings. No open-ended scaling or storage without limits.
|
|
|
|
**Rule:** Auto-scaling must have explicit maximums. Storage must have lifecycle policies. Compute must have resource limits. "Unlimited" is not a valid configuration.
|
|
|
|
**Test:** Check scaling configs for `maxReplicas`/`maxCapacity`. Check storage for lifecycle rules.
|
|
|
|
## COST-003: No Dedicated Infrastructure Per Tenant
|
|
|
|
Services MUST NOT provision tenant-specific infrastructure (dedicated databases, queues, or compute per customer).
|
|
|
|
**Rule:** Multi-tenancy is handled at the application layer, not the infrastructure layer. Tenant isolation through data partitioning, not resource duplication. Exceptions require FinOps approval.
|
|
|
|
**Test:** Scan IaC and Helm values for tenant-specific resource naming patterns or parameterized infrastructure per tenant.
|